Lte-Epc Technology Essentials Workshopv2

LTE/EPC Technology Essentials- Fast Track
LTE-EPC WORKSHOP
LTE/EPC TECHNOLOGY ESSENTIALS
Fast Track
Hussien Mahmoud- PS Core/EPC Consultant
LTE Workshop
Introduction
This Workshop is a fast track Course to cover the basic architecture and functionalities of
the LTE-EPC from the Packet Core Perspective. The course is a little bit advanced and the
target Audience is requested to have a basic PS Foundations and Mobility Knowledge
as a prerequisite. The course will cover the LTE-EPC Architecture, Call flows, Mobility and
session management in addition to introductory slides for the EPS Security and LTE-DNS.
Author Information
Hussien Mahmoud
PS Core/ EPC Consultant
Packet Core Networks
Linkedin: https://eg.linkedin.com/in/hussienmahmoud
LTE Workshop
LTE/EPC Technology Essentials

LTE/EPC
Overview.
LTE/EPC Network Architecture.
LTE/EPC Mobility and Session Management.
LTE/EPC Security and Authentication.
DNS Functionalities in LTE.
LTE/EPC Overview
Module One
LTE/EPC Overview
Adapt the user requirements for high speed data and efficient
quality.
2G GPRS Mobile Technology was the first step to provide data services over
the mobile networks.
3G Technology provides a higher data rates support with better integrity.
LTE has the biggest challenges to overcome over the later technologies
LTE/EPC Overview
LTE is compatible with the
current 2G/3G Network as it is
counted as the next step of 3G
HSPA Network.
LTE have been developed by the
same standard group of 2G/3G
(3gpp).
Release 13 , IOT and M2M

integration and customization of
RAN plus Major enhancement for
LTE features (SRVCC, power
reduction).
Release 14 , Introduction of 5G
Networks Next Generation.
LTE/EPC Overview.
Flat Architecture: 2 nodes based IP interface architecture.
Flat network architecture are characterized by fewer network elements, lower
latency, greater flexibility and lower operation cost.
3GPP
R6
3GPP
R7
3GPP
R7 IHSPA
3GPP
R8
LTE
LTE/EPC Network
Architecture
Module Two
LTE/EPC Network architecture

Introduction
The LTE Network consists of mainly two parts
The Enhanced UTRAN part which is composed of only EnodeB.
The EPC part which includes the main components of the LTE
Technology such as : MME , SGW ,PGW ,HSS and PCRF.

Introduction
The LTE-EPC interfaces is divided in to interfaces that serves user plane, and
interfaces that serves control plane in addition to hybrid interfaces that serves
both user/control plane.

EnodeB
The EnodeB provides the Radio physical
layer and Radio resource management of the
formal NodeB.
Through the new Added X2 interface , the
EnodeB can do a call handover without the
EPC involvement.
Enode B provides the user date routing
through the SAE-GW.
Provide the MME Selection Algorithm.

EnodeB: Protocol Stack
NAS
NAS
Relay
RRC
Control
Plan
S1-AP
PDCP
RRC
PDCP
S1-AP
SCTP
RLC
RLC
IP
IP
MAC
MAC
L2
L2
L1
L1
L1
L1
LTE-Uu
UE
SCTP
S1-MME
eNodeB
MME
Application
User
Plane
IP
IP
Relay
Relay
PDCP
GTP-U
GTP-U
GTP-U
PDCP
GTP-U
RLC
RLC
UDP/IP
UDP/IP
UDP/IP
UDP/IP
MAC
MAC
L2
L2
L2
L2
L1
L1
L1
L1
L1
L1
LTE-Uu
UE
S1-U
eNodeB
S5/S8
a
Serving GW
SGi
PDN GW

EnodeB: Protocol Stack-Control Plane
The EnodeB Protocol stack is divided
into Control plane and User plane.
The RRC is the main layer on the
Control plane which includes all the
radio resource management functions.

EnodeB: Protocol Stack-User Plane

EnodeB: X2 Interface
The X2 interface main function is to provide an E-UTRAN handover
without the involvement of the Core network .
The control plan is based on SCTP and User plane is based on UDP.
The handover Data is buffered within the EnodeB and tunneled through
a GTP interface to the Enode B.

EnodeB: X2 Interface
The control plane is handled by the X2-AP layer.

Mobility Management Entity
The MME is the main signaling Node across the LTE Network, the MME only
handles the Signaling and doesnt include any user plane processing.

The MME provides a Session management
function through Attach/Detach procedures ,
Bearer Management Across EPC
(setup/release)etc
The MME provides a Mobility management
function through Tracking Area Updates and also
MME tracking area update through S10 interface.
the MME is connected to the HSS subscriber
management through the S6a interface , thus
provide a user authentication.

The MME Provides the main Roaming Architecture for inbound roamers flow.
.the MME provides an integration point with the 2G/3G Core SGSN through
the S3 interface which facilitate a better user mobility

Mobility Management Entity: Protocol Stack
The MME mobility and session management functionalities is implemented on
the NAS layer.
The non-access stratum (NAS) is highest protocol of the control plane between
UE and MME at the radio interface.

Mobility Management Entity: Protocol Stack
NAS
NAS
Relay
RRC
S1-AP
PDCP
RRC
PDCP
S1-AP
SCTP
RLC
RLC
IP
IP
MAC
MAC
L2
L2
L1
L1
L1
L1
UE
LTE-Uu
eNodeB
SCTP
S1-MME
MME

Mobility Management Entity: S1-AP interface
Provide a Control interface to the Enode Bs.
All signaling messages mobility and session management will flow through
this interface.
No traffic .
The control plans is based on SCTP.
S1-AP is the application protocol .
Multiple S1-MME is supported

Mobility Management Entity: S1-AP interface

Mobility Management Entity: S11 Interface
Provides a control interface between the MME and SAE GW.
No traffic Only control plane.
Multiple S11 connectivity to several SAE GW.
The MME controls the user plane data through this interface.
GTP-C
GTP-C
UDP
UDP
IP
IP
L2
L2
L1
L1
S11
MME
S-GW

Mobility Management Entity: S6a Interface
The main functionality is to provide access to the HSS which is a
subscriber management node.
The connection is purely control plane
The connection is based on SCTP and is using a Diameter protocol instead
of the old SS7 application.
The HSS Stores the subscriber data information (User ISD , Auth. Vectors ,
user apn profiles , QoS, TAI)

Mobility Management Entity: S10 Interface
The main functionality is to connect the MME with the neighbor MME for
Different purposes.
The interface supports only control plane.
Inter MME Handover , subscriber IMSI retrieval , subscriber contexts.

Serving SAE Gateway
The SAE acts as a user plane anchor where it manages the user data path
through the S1-U and S5/S8 interface by forwarding the packets and
buffering the data packets incase the idle mode.
The SAE is controlled by one or more MME through the S11 interface.
Multiple EnodeBs is connected via the SGW , where the SGW acts as a
packet anchor for data handover.
Setup and release the SAE bearer.
Lawful interception.

Serving SAE Gateway
Mobility anchoring for inter-3GPP mobility (S4 Interface).
ECM-IDLE mode downlink packet buffering and notifying for MME.
Packet routing and forwarding.
Uplink and Downlink Transport Level Marking.
Accounting for inter-operator charging.

Serving SAE Gateway: S1-U Interface
Provide user plane interface to the
Enode Bs.
All user traffic are forwarded using
this interface
The user plan is based on GTP tunnels.
Multiple S1-U connectivity is
supported is supported

S1-U/S11 Connectivity
Case-A the basic connectivity model for the LTE-EPC data plane where the Enode is
connected to one MME and one SAE GW.
Case-B the Enode B is connected to only one MME and multiple SAE-GW controlled by
the same MME.

S1-U/S11 Connectivity
Case-C the Enode B is connected to multiple MMEs and only connected to one SAEGW.
Case-D the Enode B is connected to multiple MMEs and multiple SAE-GW.

Serving SAE Gateway: S5/S8 Interface
The main functionality is to forward traffic between S GW and P-GW.
S5 is standardized for local network and S8 is standardized for roaming
A control and user plane is under two different protocol stacks GTP and
PMIP.

PDN SAE Gateway
PDN Gateway (PGW) Functions
UE IP address allocation.
Per-user based packet filtering .
Transport level packet marking in the uplink and downlink.
Accounting for inter-operator charging.
UL and DL service level gating control.
Policy & Charging enforcement.

Combined SAE-Gateway
The S-GW and P-GW may be integrated into one node to act as an SAE-GW

Home Subscriber Server
Provides the subscriber Data Management and mobility information (User
Number ,location, profile , QoSetc.)
The HSS includes also the functionality of the AUC.
Connects to the SAE or S-GW via the S6a interface for roaming and local
Networks.

Policy and Charging Rule Function
The PCRF controls the main policies assigned per subscriber.
Provide a QoS Negotiation and management through the Gx interface which
may include a modification or change in the SAE Bearer.
Provide a Data Network interface through the Rx+
An extra interface is provided between local and roaming PCRF the interface is
defined in the 3GPP by S9.

Roaming/Non-Roaming Architecture
Non-roaming architecture
UTRAN
SGSN
HSS
GERAN
S3
S1-MME
S6a
MME
PCRF
S11
S10
LTE-Uu
UE
S12
Serving
Gateway
E-UTRAN
S5
Rx
Gx
S4
PDN
Gateway
S1-U
SGi
Operator's IP
Services
(e.g. IMS, PSS etc.)

Non-roaming architecture for 3GPP accesses. Single gateway
configuration option
UTRAN
SGSN
HSS
GERAN
S3
S1-MME
S6a
MME
PCRF
S11
S10
LTE-Uu
UE
S12
Serving
Gateway
E-UTRAN
Rx
Gx
S4
PDN
Gateway
S1-U
SGi
Operator's IP
Services

Roaming architecture for 3GPP accesses. Home routed
traffic
HSS
PCRF
Gx
Rx
S6a
PDN
Gateway
HPLMN
VPLMN
S8
UTRAN
SGSN
GERAN
S12
S3
S1-MME
S4
MME
S11
S10
LTE - Uu
UE
Serving
Gateway
E-UTRAN
S1-U
SGi
Operators IP
Services

Roaming architecture for local breakout, with home operator's application
functions only
HSS
H-PCRF
Rx
S6a
S9
HPLMN
VPLMN
Home
Operators IP
Services
UTRAN
SGSN
GERAN
S3
S4
S1-MME
V-PCRF
S12
MME
Gx
S11
S10
"LTE-Uu"
UE
Serving
Gateway
E-UTRAN
S1- U
S5
PDN SGi
Gateway
Visited Operator
PDN

Roaming architecture for local breakout, with visited operator's application
functions only
HSS
H-PCRF
S6a
S9
HPLMN
VPLMN
UTRAN
SGSN
GERAN
S3
V-PCRF
S4
S1-MME
S12
MME
Rx
Gx
S11
S10
LTE-Uu
UE
S5
Serving
Gateway
E-UTRAN
S1-U
SGi
PDN
Gateway
Visited
Operator's IP
Services
LTE/EPC Mobility And

Session Management
Module Three
Agenda
Mobility and Session Management states

UE and Network identifications
LTE/EPC Bearer Types and QoS
LTE/EPC Attach Procedure
LTE/EPC Detach Procedure
LTE/EPC Bearer Activation Procedure
LTE/EPC Service Request Procedures
Tracking Area Update
LTE/EPC Handover
MM and SM States
Introduction
Analogue between 2G/3G network and LTE networks
3G
LTE
GPRS attached
EMM Registered
Concept PDP Context
Process
EPC Bearer
RAB
Radio Bearer+S1 Bearer
3G
LTE
GPRS attach
Attach+Default Bearer
Primary PDP Context
Default Bearer Activation
Secondary PDP Context
Dedicated Bearer Activation
Routing Area Update
RAB assignment (primary)
Initial Content Setup
RAB assignment (secondary)
Bearer Setup request
MM and SM States
Introduction
MM and SM in LTE is serving the same purpose as in the previous 2G/3G
networks.
In LTE we have two states defined for each UE
EPS Mobility Management States (EMM).
EPS Session Management States (ESM).
ESM purpose is to keep track of the session assignment and data
handling
EMM purpose is to keep track of the user location and to keep the
wireless mobility to a high accuracy level.
MM and SM States
Introduction: EMM States
EMM De-registered
The MME doesnt have any information about the UE location at any
level.
The MME may hold an old information about the UE context.
Attach or TAU would change the status to a Registered EMM state.
EMM Registered
The MME hold the location information of the UE.
The Tracking Area is the min. Location information.
The UE would perform all the related EMM procedure such as the TRAU.
The UE can also request to send data or receive data.
MM and SM States
Introduction: ECM States
ECM IDLE
There is no context for the UE in the UTRAN
There is no signaling associated between the UTRAN and EPC
The Location is known up to the level of the Tracking area
Tracking area Updates
ECM Connected
There is a valid context for the UE
There is a signaling associated in the UTRAN (RRC) and signaling associated
in the EPC level (S1 bearer)
The location is known up to to the accuracy of cells
Cell handover
ECM Connected= RRC Connected + S1 Connection
MM and SM States
Introduction: ECM States
The UE has two states RRC status and ECM status.
The E-UTRAN has only RRC status.
The MME has only ECM status
RRC connected is a pre-requests to ECM connected
MM and SM States
Introduction: RRC States
RRC IDLE
There is no RRC context stored in the EnodeB
There is no signaling associated between the EnodeB and UE
Cell selection and reselection
UE is ready for paging
UE receives system information
RRC Connected
There is an RRC context stored in the EnodeB
There is a signaling associated between the EnodeB and UE
Cell handover
UE can transmit and receive data
UE reports neighbor cell measurement
MM and SM States
State Diagram
Agenda

LTE/EPC Handover
UE And Networks Identifiers

Introduction
In LTE we have four main identifications:
IMSI:
International Mobile Subscriber Identity ,used to identify the UE
globally each SIM card has a unique IMSI which identifies the user
profile within the Mobile Network
S-TMSI:
SAE Temporary Mobile Subscriber Identity ,used to identify the UE
temporarily within the Mobile Network
C-RNTI:
Cell Radio Network Temporary Identity, used to temporarily identify the
User within the Radio Access.
S1-AP UE ID:
S1 Application Protocol User Equipment Identity, identifies the S1
control signaling within the Core part.

IMSI
Uniquely identifies the UE globally within the Mobile Network
IMSI is the same for 2G/3G/4G Network
IMSI is composed of MCC+MNC+MSIN:
o MCC: mobile country code
o MNC: mobile network code
o MSIN: mobile subscriber identification number
MME identifies the UE using the IMSI

S-TMSI
S stands for SAE , SAE Temporary Mobile Subscriber Identity
S-TMSI is allocated temporarily by the MME
S-TMSI is used instead of the IMSI for security reasons
MME ID identifies the MME incase multiple MME connectivity
S-TMSI is associated with the IMSI within the MME
S-TMSI is a 32 Bit size
Used for paging and Service Request

C-RNTI
Cell Radio Network Temporary Identity
C-RNTI is assigned by the enodeB when the RRC is connected
Temporary identification used for radio resource management
The RNTI is signaled in the MAC layer
The C-RNTI is a 16-bit numeric value.

S1-AP
S1-AP identifies the Signaling messages transferred between the MME and
EnodeB.
Each of The Enode B and MME assigns a separate S1-AP ID
eNB S1-AP UE ID
MME S1-AP IE ID
This two IDs is to control the messages between MME and Enode B on the S1
interface.

State Diagram

GUTI
Globally Unique Temporary Identity (GUTI)
the GUTI is allocated to the UE by the MME
The purpose of the GUTI is to provide an unambiguous identification of the UE that does not
reveal the UE or the user's permanent identity in the Evolved Packet System (EPS).
It can be used by the network and the UE to establish the UE's identity during signalling between
them in the EPS.

GUTI
The GUTI has two main components:
-one that uniquely identifies the MME which allocated the GUTI.
-one that uniquely identifies the UE within the MME that allocated the GUTI.

ECGI
E-UTRAN Cell Global Identifier (ECGI)
An Identifier used to identify cells globally. The ECGI is constructed from the PLMN
identity the cell belongs to and the Cell Identity (CI) of the cell.

TAI
Tracking Area Identity (TAI)
The Identifier is used to identify tracking areas. The TAI is constructed from the PLMN
identity the tracking area belongs to and the TAC (Tracking Area Code) of the
Tracking Area.
Agenda

LTE/EPC Handover

E2E Bearer
Bearers identifies the User plane across the LTE/EPC network (E2E Bearer)
Each user is identified by a certain Bearer and QoS assigned
Bearers (Radio bearers , SAE Access Bearer , S5/S8 bearer )
The SAE Bearer is associated with QoS

E2E Bearer
Radio bearers
The first bearer Between UE and eNB.
The Radio bearers is mapped to the air interface physical resources.
SAE Access Bearer
The second bearer Between eNB and SAE GW.
Implemented using GTP tunnel version 1
MME exchange signaling with EnodeB to create Bearer.
S5/S8 bearer
The third bearer Between the P-GW to S-GW.
This is usually a GTP or MIP tunnel between S GW and P-GW.
External bearer
The fourth bearer Between the P-GW to the application layer.

E2E Bearer
Every Service on LTE requires a certain QoS and certain level of efficiency i.e.
priority , delay , jitteretc.
Application services could be (browsing, downloading , streaming ,voice.etc)
Each traffic flow inside the LTE network would achieve a certain QoS based on
the service request.
All data transmitted/received within a bearer, must have the same QoS
assigned to that Bearer.
A UE could have multiple services with multiple bearers assigned

Bearer Definition
1-Default Bearer
Allocated during the Initial attach of the system
Non-GBR (Non Guaranteed Bit Rate) is allocated
2-Dedicated Bearer
Allocated on demand by external Services
GBR is allocated (Guaranteed Bit Rate)
GBR bearers is always reserve a dedicated resources ,This is required for
services with low delay and jitter (Voice).
GBR bearer will usually also limit the resources for some services based on the
assigned bandwidth.
MBR: the maximum bit rate assigned for GBR Bearers.
AMBR: the total maximum bit rate (MBR) for all non-GBR bearers .

Bearer QoS
Traffic Flow Template (TFT)
The TFT is a kind of a filter that specifies each bearer with the associated
traffic which data traffic to which bearer.
The filter is applied on Uplink and downlink traffic with a certain criteria (IP
address , port, protocol ,etc).
Traffic flow template is always associated with dedicated bearer and while
default bearer may or may not have TFT.
QoS Class Identifier (QCI)
An integer number assigned to each bearer to identify the QoS category
assigned to it.
These labels can be transferred to IP header tags on S1-U,S5/S8 to implement
IP QoS.
Allocation/Retention Priority (ARP)
This parameter identifies the Resource allocation priority during the SAE bearer
setup.

Bearer QoS
The EPS bearer with GTP-based S5/S8
Application / Service Layer
UL Traffic Flow Aggregates
UL-TFT
UL-TFT RB-ID
RB-ID S1-TEID
UE
eNodeB
eNB
Radio Bearer
DL Traffic Flow Aggregates
DL-TFT
DL-TFT S5/S8-TEID
S1-TEID S5/S8-TEID
Serving GW
S1 Bearer
S5/S8 Bearer
PDN GW

Bearer QoS
Each SAE bearer Quality of service would include QCI, ARP ,MBR,GB, TFT and
AMBR.
L-EBI: It stands for Linked EPS bearer ID

L-EBI tells Dedicated bearer which default bearer it is attached to

Bearer QoS
NAS PDU, Activate Dedicated Bearer Request (E-RAB Request)
LTE/EPC Bearer Types

Bearer QoS
QoS Class Identifier(QCI)
Value for scheduling and Identifies a particular service or class of services
Allocation and Retention Priority(ARP)
Used to accept/modify/drop bearers in case of resource limitation
Guaranteed Bit Rate(GBR)
Only for GBR-bearers
- Maximum Bit Rate (MBR).
The MBR limits the bit rate that can be expected to be provided by a GBR
bearer (e.g. excess traffic may get discarded by a rate shaping function).

Bearer QoS

Bearer QoS
The ARP shall contain information about the priority level (scalar), the preemption capability (flag) and the pre-emption vulnerability (flag).
The pre-emption capability information of the ARP defines whether a bearer
with a lower ARP priority level should be dropped to free up the required
resources.
The pre-emption vulnerability information of the ARP defines whether a
bearer is applicable for such dropping by a pre-emption capable bearer
with a higher ARP priority value.
Your request is accepted, and because you
have a higher priority you can pre-empt
Agenda

LTE/EPC Handover

The attach procedure in LTE/SAE is quite similar to the GPRS attach in
2G/3G
1.
2.
3.
4.
5.
6.
The UE sends the ATTACH REQUEST message (NAS) including old STMSI, old TAI and information about the allocated PDN (IP) addresses.
The eNB selects an available MME and forwards the message to it.
The first task of the MME is to identify and authenticate the subscriber.
Thus it contacts the old MME (identified via S-TMSI/TAI) with
IDENTIFICATION REQUEST (GTP-C).
Authentication vectors for the subscriber. (Flowchart shows direct
contact with HSS). The authentication mechanism is the same as in 3G.
the new MME can begin to update the HSS and download the
subscription data from there
During this process the HSS will also force the old MME to clear the
stored data about the subscriber using the Diameter operation CANCEL
LOCATION.

The attach procedure in LTE/SAE is quite similar to the GPRS attach in 2G/3G

The attach procedure in LTE/SAE is quite similar to the GPRS attach in
2G/3G
1.
2.
3.
4.
5.
Based on the subscription data the new MME must decide whether a
default bearer has to be created or not.
The default access point name (default APN) assists the MME in selection
of an appropriate SAE GW. To this serving gateway the CREATE
DEFAULT BEARER REQUEST message (GTP-C) is sent to.
The SAE GW will now create the S5/S8 tunnel. This is done with the
same message, but sent to the PDN GW.
When the EPC resources for the default bearer are prepared, the new
MME can give the ATTACH ACCEPT message to eNB.
The S1-AP message which will contain this one will hold the tunnel
endpoint identifier allocated by the SAE GW for S1 interface.

7.
The eNB creates the radio bearer for the default SAE bearer and
returns ATTACH COMPLETE to the MME.
8. The S1-AP message this one is in will hold the TEID allocated by the eNB
for S1 interface.
9. Via an UPDATE BEARER procedure the MME will give this parameter to
the SAE GW.
10. Now the default SAE bearer is complete and the UE is in state
EMM_REGISTERED and ECM_CONNECTED.


Initial Attach Request, Initial UE message
RRC establishment with cause (mo-signaling)
Identities in the First attach message:

eNB-UE-S1AP-ID
TAI (MNC,MCC,TAC)
EUTRAN-CGI (PLMN id, MCC, MNC, Cell-id)

Initial Attach Request, the NAS PDU (EPS attach request)
Identities of the NAS PDU:

EPS Mobility identity (IMSI)
Capabilities:
UE Network Capability (integrity algorithm supported,
EEA,EIA,UEA,UCS,UIA, etc)
MS Network Capability (SRVCC,I SR, inter-RAT HO, Encryption Algorithm
GEA,LCS, etc)
DRX Parameters (Timers, Cycle Length, etc.)
ESM Container (EPS Session Management )

Initial Attach Request, ESM Container (EPS Session Management ),PDN Connectivity Request
Protocol Configuration Options:

DNS IPs
Authentication Challenges

Initial Attach Request, ESM Container (EPS Session Management ),PDN Connectivity Request
Security ESM information transfer required for security Reasons (No APN
information)
Will be communicated after Authentication: ESM information Request/ Reply


Authentication request from the MME to the UE
Identities in the AIR:

eNB-UE-S1AP-ID
MME-UE-S1AP-ID
Authentication Parameters:
RAND
SQN
AMF
MAC

Authentication Reply from the UE to the MME
Identities in the AIR :

eNB-UE-S1AP-ID
MME-UE-S1AP-ID
TAI (MNC,MCC,TAC)
EUTRAN-CGI (PLMN id, MCC, MNC, Cell-id)
RES

Security Mode Command from the MME to the UE
NAS Selected Security Algorithm:

Integrity Algorithm (ex. 128-EIA1 )
Ciphering Algorithm (ex. EEA0 )
UE Security Capability
IMEISV Request

Security Mode Complete from the UE to the MME
Identities :
eNB-UE-S1AP-ID
MME-UE-S1AP-ID
TAI (MNC,MCC,TAC)
EUTRAN-CGI (PLMN id, MCC, MNC,
Cell-id)
IMEISV Sent with Security mode complete
confirmation

ESM Information Request/ ESM Information
Reply
NAS ESM information :
APN information


The Attach accept message include the e-RAB setup

RAB Setup Context ids:
e-RAB-ID
GTP-TEID

The Attach accept message include the eRAB setup

RAB Setup Context ids:
e-RAB-ID
GTP-TEID

RAB Setup Contains the

NAS PDU
GPRS Timers
TAI list
GUTI (MCC, MNC
,MME Group-id, MME
Code, M-TMSI)

ESM Message Container
QoS (QCI 5 for
default)
APN name
IP assigned
LLC
QoS
AMBR
Packet Flow filter
PCO

Attach accept
GTP-TEID
E-RAB ID

Attach Complete
Default Bearer Context
Accept
Agenda

LTE/EPC Handover
Detach Procedures
UE Initiated Detach
The transition to EMM_DEREGISTERED state is achieved by the NAS detach
procedure.
The procedure consists of:
DETACH REQUEST / DETACH ACCEPT procedure between UE and MME.
the DELETE BEARER procedure between MME and SAE GW and PDN
GW.
S1 RELEASE procedure between MME and eNB deletes all radio
resources.
Detach Procedures Can be triggered by three Parties:
1. UE
2. MME
3. HSS
Detach Procedures
UE Initiated Detach
Detach Procedures
UE Initiated Detach
UE NAS Detach Request
Detach Procedures
UE Initiated Detach
Signaling Connection Release ( Context Release)
Detach Procedures
MME Initiated Detach
The transition to EMM_DEREGISTERED state is achieved by the NAS
detach procedure.
The procedure consists :
1.
DETACH REQUEST / DETACH ACCEPT procedure between UE and

MME
2.
DELETE BEARER procedure between MME and SAE GW and PDN

GW.
3.
S1 RELEASE procedure between MME and eNB deletes all radio

resources.
Detach Procedures
MME Initiated Detach
Detach Procedures
HSS Initiated Detach
Agenda

LTE/EPC Handover
LTE/EPC Bearer Activation

1.
The external data network triggers the request for a new IP connectivity
bearer (SAE bearer) via the PCRF connected to the PDN gateway that
owns the default SAE bearer of this user. This is sent in form of a policy
and charging control (PCC) decision from PCRF to PDN GW.
2.
The PDN GW first of all uses GTP-C CREATE DEDICATED BEARER REQUEST
to setup the tunnel between PDN GW and SAE GW.
3.
The SAE GW allocates the resources for the S5/S8 tunnel and forwards
an associated request to the MME for the S1 tunnel.
4.
If the UE is currently ECM_IDLE it must be paged. Thus the MME sends

PAGING messages of S1-AP protocol to all eNB that own cells of the UEs
current tracking area (or tracking areas).

5.
If the UE receives such a paging it will respond with the SERVICE REQUEST
procedure. in the following the default SAE bearer will be re-established.
6.
If the default bearer is up and the UE is in state ECM_Connected the radio

bearer and S1 tunnel for the new SAE bearer can be created. Thus the
MME sends to the eNB the S1-AP message BEARER SETUP REQUEST. It
contains the TEID from SAE GW for the new S1 tunnel. This message also
triggers the setup of the new radio bearers.
7.
The response messages now run from UE to eNB to MME to SAE GW to

PDN GW to PCRF. With this the new SAE bearer is ready for use.

The default SAE bearer is created when the UE is attached to the Network.
Any other bearers is activated via a dedicated bearer procedure ,Dedicated
bearers can be triggered by the external data network and user.

Activate Dedicated EPS Service
Activate Dedicated Bearer Request is Sent from the MME to the UE, with the E-RAB Setup

NAS PDU, Activate Dedicated Bearer Request (E-RAB Request)

E-RAB Setup Response
E-RAB Response
identities:
GTP-TEID
E-RAB ID

Agenda

LTE/EPC Handover
LTE/EPC Service Request

Introduction
The purpose of this procedure is to transfer the EMM mode from EMMIDLE to EMM-CONNECTED mode, and establish the radio and S1 bearers
when user data or signaling is to be sent.
The Service Request Procedure is used in the following conditions

UE in EMM-IDLE and has a pending User data or signalling to be sent.
UE is EMM-IDLE and receives a PS paging request.
CS Fallback Scenarios (Extended Service Request)
The Service reuest is divided to two types:

1. UE Initiated Service Request
2. MME Initiated Service Request

UE Initiated Service Request
1.
2.
3.
4.
5.
6.
The UE sends the NAS message SERVICE REQUEST uplink via eNB to the
MME. If there are multiple MME connected to the eNB it is the task of the
eNB to select the right MME (the one the UE is registered with) from S-TMSI
and TAI.
The MME can now start authentication if required.
the MME start to re-establish the radio bearer and S1 tunnels for the active
SAE bearers of the UE.
MME sends the S1-AP message INITIAL CONTEXT SETUP REQUEST to the
eNB. This message contains the still active tunnel endpoint identifiers from
SAE GW and request the eNB to create new radio bearers.
eNB returns INITIAL CONTEXT SETUP RESPONSE in which it indicates its own
tunnel endpoint identifiers for S1 interface.
These TEIDs of the eNB are now forwarded to the SAE GW with GTP-C
UPDATE BEARER REQUEST. This completes the transition of the UE to
LTE_ACTIVE.

UE Initiated Service Request

MME Initiated Service Request

MME Initiated Service Request
Extended Service Request used in CS Fallback Scenarios

S1 Release
If the UE spends too much time in inactivity time , either the enodeB or the
MME should free the resources through what is called S1 release

S1 Release
1.
The eNB send the message S1 RELEASE REQUEST (S1-AP) to the MME to
request the release of all EUTRAN resources for a UE.
2.
When the MME gets a trigger to release the UE from EUTRAN, it will
release the S1 tunnels allocated for the SAE bearers of the UE. This is
done by sending an UPDATE BEARER REQUEST message (GTP-C) to the
SAE GW.
3.
In parallel to the previous step the MME will send the S1-AP message
S1 RELEASE COMMAND to the eNB. It will trigger the release of the UE
on the air interface with message RRC CONNECTION RELEASE (RRC).
4.
This will bring the UE to RRC_IDLE state and with that also to LTE_IDLE
state. The UE acknowledges with RRC CONNECTION RELEASE ACK.

S1 Release
Agenda

LTE/EPC Handover

Introduction
Tracking area is the counterpart of the routing area in the 2G / 3G system as a
reference of paging during MT call.
TAI is composed of a group of cells.
Tracking Area Identity is composed of MCC (Mobile Country Code) plus MNC
(Mobile Network Code) plus TAC (Tracking Area Code).

Introduction
A cell may co-exist in two TAI meaning a TAI may overlap.
A UE reports several TAI on the same time as an advantage to reduce multiple
RAI change.
Multi Tracking Area Registration :UE only triggers TAU when moving to a cell
belonging to a TA not in the TA list for that UE.
MME Pooling: several MME handle the same tracking area.

Procedure
1. The UE sends TRACKING AREA UPDATE REQUEST with its current S-TMSI and old TAI
to the eNB. This one has to forward the message to a MME. If the old MME cannot be
selected, then a new MME must be chosen by the eNB.
2. The new MME must first of all get the identity (IMSI) of the subscriber and
authenticate him/her. Therefore the new MME contacts the old one via GTP-C
CONTEXT REQUEST.
3. The CONTEXT RESPONSE contains IMSI, authentication vectors, but also all
information about the currently active SAE bearers of this user.
4. After a successful authentication the new MME informs the old one, that it is ready
to take control over the UE.
5. The old MME will now start a timer and wait for the cancellation of the subscriber
record.
6. In parallel to the previous step the new MME sends GTP-C CREATE BEARER
REQUEST to the SAE GW it has selected.
7. The message will trigger the setup of new S1 tunnels and trigger an update towards
PDN GW. This will change the traffic path from PDN GW to new SAE GW to new
eNB.

Procedure
UE
eNB
new
MME
old
MME
New
SGW
old
SGW
Tracking Area Update Request

S-TMSI/IMSI,old TAI, PDN (IP) address allocation
Context Request
S-TMSI/IMSI,old TAI
Context Response
Authentication Request
mobility/context data
authentication challenge
Authentication Response
Authentication response
Context Acknowledge
S-TMSI/IMSI,old TAI
Create Bearer Request
IMSI, bearer contexts
Update Bearer Request

new SGW-S5 IP/TEID
LTE/EPC
Technology
Essentials- Fast TrackUpdate Bearer Response
Create
Bearer Response
new SGW-S1 IP/TEID
PDN GW IP/TEID
PDN
Gatew
ay
HSS

Procedure

Procedure
8.
9.
Also simultaneously with the previous steps the MME will update the HSS.
During this the HSS will cancel the subscriber record in the old MME. The
old MME will of course also delete the old tunnels in the old SAE GW.
10. At the end the UE gets a NAS message TRACKING AREA UPDATE ACCEPT.
In it a new S-TMSI and new tracking area (or tracking area list) can be
contained.
11. The UE has to acknowledge with TRACKING AREA UPDATE COMPLETE.

Procedure
UE
eNB
new
MME
New
SGW
old
MME
old
SGW
Update Location
new MME identity, IMSI,
Cancel Location
IMSI, cancellation type = update
Cancel Location Ack
Delete Bearer Request
TEID
Delete Bearer Response
Update Location Ack
Tracking Area Update Accept
new S-TMSI, TA/TA-list
Tracking Area Update Complete
PDN
Gatew
ay
HSS
Agenda

LTE/EPC Handover
LTE/EPC Handover
Introduction
UE is in ECM_Connected state.
UE sends measurements and reports to the eNB to assist in the handover
decision.
Downlink Packets are forwarded from the source cell to the target cell.
Target cell is selected by the network, not by the UE.
Handover control in E-UTRAN (not in packet core), Only once the
handover is successful, the packet core is involved.
Intra LTE/SAE Network Handover Types:

1. Intra eNB handover.
2. Inter eNB handover with X2 interface and without CN node relocation.
3.-Inter eNB handover without X2 Interface.
LTE/EPC Handover
X2 Based Handover
UE
source
eNB
target
eNB
RRC: Measurement Control

Packet Data
RRC: Measurement Report
X2AP: Handover Request
target cell, serving MME & SAE GW,
X2AP: Handover Request Ack
RRC: Handover Command
HO-command, X2 data forwarding tunnel,
target cell description, C-RNTI,
DL Packet Data
MME
Serving
Gateway
(SGW)
LTE/EPC Handover
X2 Based Handover
UE
source
eNB
MME
target
eNB
Serving
Gateway
(SGW)
Synchronization
UL Allocation + timing advance
S1AP: Handover Complete
Path Switch Request
RRC: Handover Confirm
target eNB IP/TEID,
Update Bearer Request

target eNB IP/TEID,
Packet Data
S1AP: Handover Complete Ack

Path Switch Req. Ack.
X2AP: Release Resources
new SGW-S1 IP/TEID,
DL Packet Data
Packet Data
Update Bearer Response

new SGW-S1 IP/TEID,
LTE/EPC Handover
X2 Based Handover
X2-based Handover Handover Request
LTE/EPC Security
And Authentication
Module Four
EPS Security And Authentication

EPS AKA
EPS AKA: EPS Authentication and Key Agreement
EPS AKA shall be based on USIM and extensions to UMTS
AKA
Access to E-UTRAN with 2G SIM shall not be granted, R99
USIM will be accepted.
UMTS AKA achieves mutual authentication between the user
and the network (MME,HSS) by demonstrating knowledge of a
pre-shared secret key K
K is only known by the USIM and the AuC in the users HSS.
EPS AKA shall produce keys that are the basis of:
1. C-plane Protection.
2. U-plane protection.

EPS Authentication Procedures
1. HSS replies with Authentication Vector (
RAND, AUTN, Kasme, XRES).
HSS Generated
K
SEQ
XRES
AUTN
2. MME sends UE (RAND, AUTN, Kasme).
3. UE uses AKA algorithm to calculate

(RES,AUTNue)
4. UE Compares AUTN,AUTNue HSS
Authenticated
5. MME Compares RES,XRES UE
Authenticated
RAND
CK
IK
Kasme

eNB
UE
MME
HSS
NAS: attach Request
User Id, UE Capabilities, etc.
Authentication Data Request

Authentication Data Response
Authentication Vectors: RAND(i), KASME(i), AUTN(i), XRES(i)
NAS: USER Authentication Request

RAND(i), KASME(i), AUTN(i)
NAS: USER Authentication Response
RES(i)

Authentication request from the MME to the UE
Identities in the AIR:

eNB-UE-S1AP-ID
MME-UE-S1AP-ID
RAND
SQN
AMF
MAC

EPS Security
Authentication Reply from the UE to the MME
Identities in the AIR :

eNB-UE-S1AP-ID
MME-UE-S1AP-ID
TAI (MNC,MCC,TAC)
EUTRAN-CGI (PLMN id, MCC, MNC,
Cell-id)
RES

EPS Security

EPS Security
Security Mode Command from the MME to the UE
NAS Selected Security Algorithm:

Integrity Algorithm (ex. 128-EIA1 )
Ciphering Algorithm (ex. EEA0 )
UE Security Capability
IMEISV Request

EPS Security
EPS Authentication, Mutual Authentication between UE,MME and HSS.
Base Key: K
Derived Keys: Kasme
Core network (NAS) signaling, integrity and confidentiality protection
terminate in MME.
Base Key: Kasme
Derived Keys: Knas(int), Knas(enc)
Radio network (RRC) signaling, integrity and confidentiality protection
terminate in eNodeB.
Base Key: KeNB
Derived Keys: Krrc(int), Krrc(enc)
For User plane protection, to protect the traffic between UE and EnodeB
Encryption terminates in eNodeB
Base Key: KeNB
Derived Keys: Krrc(int), Krrc(enc)
DNS Functionalities
in LTE
Module Five
DNS Functionalities in LTE

Introduction
A records
A stands for IPv4 records lookup.
Map Host names to IPs.
AAA Records
AAAA stands for IPv6 record lookup.
Map Host names to IPs.

Introduction
Name Authority Pointer (NAPTR)
Resource records specify lookup services
NAPTR will produce a new domain label or URI
S-NAPTR: Straightforward NAPTR is used to add particular services to a DNS
entry.
The S-NAPTR also simplifies the use of NAPTR by limiting the NAPTR flags only
to "a", "s" and ""
NAPTR Reply
the next lookup is an SRV records (The "S" Flag ).
the next lookup is A, AAAA records. i.e. IP record (The "A" Flag).
more NAPTR RR lookups are to be performed ( empty flag " ").

Introduction

Introduction

Introduction
DNS Server Selection SRV
Allows DNS administrators to use pool of servers for a
single domain, to move services from host to host, and to designate
some hosts as primary servers for a service from a
pool of hosts.
For the flag "s" case the topologically aware naming restriction
applies to the targets in the SRV record, and not the NAPTR record
replacement target.
Entry
topon.nodes.sgw.be.epc IN SRV 1 100 2123 testSGW.sgw.be.epc.mnc99.mcc999.3gppnetwork.org.

Introduction

Introduction
<"topon" | "topoff"> . <single-label-interface-name> . <canonical-node-name>
Where the first label is "topon" or "topoff" to indicate whether or not

collocated and topologically close node selection shall be preferred,
"single-label-interface-name" is a single label used to name a specific
interface on a node (e.g. Eth-0, S8, vip, board3)
"canonical-node-name" is a the canonical name of a specific node. When
comparing host name FQDNs to find out whether the nodes are actually the
same, the first two labels of the host name FQDN shall be ignored.

SGW Selection
SGW FQDN=
tac-lb<TAC-low-byte>.tac-hb<TAC-highbyte>.tac.epc.mnc<MNC>.mcc<MCC>.3gppnetwork.org
Service Parameters =
x-3gpp-sgw:x-s5-gtp
Topological matching with "topon" shall have higher importance in ordering
which DNS records are used than the S-NAPTR ordering

SGW Selection

PGW Selection
PGW selection is performed by the MME/SGSN at initial attach or PDN
connection establishment.
Query is done based on APN.
No Topology logic included.
PGW FQDN=
<APN-NI>.apn.epc.mnc<MNC>.mcc<MCC>.3gppnetwork.org
Service Parameters =
x-3gpp-pgw:x-s5-gtp

Service Parameters
PGW
Discovering a PGW for a 3GPP Access - S8/Gp roaming case "x-3gpp-pgw:x-s8gtp", "x-3gpp-pgw:x-s8-pmip", "x-3gpp-ggsn:x-gp, etc.
Discovering a PGW for a 3GPP Access - S5/Gn intra-operator existing PDN "x3gpp-pgw:x-s5-gtp", "x-3gpp-pgw:x-s5-pmip", "x-3gpp-ggsn:x-gn"
Discovering a PGW for a non-3GPP Access S2a/S2b initial attach for roaming and
non-roaming "x-3gpp-pgw:x-s2a-pmip", "x-3gpp-pgw:x-s2b-pmip", "x-3gpp-pgw:xs2a-mipv4
Discovering a PGW for a non-3GPP Access S2a/S2b initial attach and chained
S2a/S2b with GTP or PMIPv6 based S8 "x-3gpp-pgw:x-s2a-pmip", "x-3gpp-pgw:xs2b-pmip"

Service Parameters
SGW
SGW Selection during TAU with SGW change - 3GPP roaming case "x-3gpp-sgw:xs8-gtp" or "x-3gpp-sgw:x-s8-pmip
SGW Selection during TAU with SGW change - non-roaming case "x-3gpp-sgw:xs5-gtp" and/or "x-3gpp-sgw:x-s5-pmip"

Service Parameters
Various
Services of a PGW from PGW node name "x-3gpp-pgw:x-s5-pmip" , "x-3gpppgw:x-s8-pmip" , "x-3gpp-pgw:x-s5-gtp" , "x-3gpp-pgw:x-s8-gtp, etc.
Services of a MME from MME node name " x-3gpp-mme:x-s10 ", "x-3gpp-mme:xs11", etc.
Services of an SGSN from a P-TMSI "x-3gpp-sgsn:x-gn", "x-3gpp-sgsn:x-gp", "x3gpp-sgsn:x-s3", "x-3gpp-sgsn:x-s4" , etc.
Thanks
Fast Track

Lte-Epc Technology Essentials Workshopv2

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lte-Epc Technology Essentials Workshopv2

Uploaded by

Copyright:

Available Formats

LTE/EPC Technology Essentials- Fast Track

Hussien Mahmoud- PS Core/EPC Consultant

LTE/EPC Technology Essentials- Fast Track